Question on Destination NAT and Firewall Rule

Hi,

We are testing V18 in my LAB and I am confused with Firewall rule and Destination NAT policy. My configuration as like:

In the Firewall Rule, Why I need Destination HOST as "ANY". If I will choose a host IP in destination Host as my SSH server then this rule is not working. Is it a bug or some specific reason for the required "ANY" in the Destination HOST field?

Parents
  • Hi,

    When you create firewall rule for NAT rule in which destination is translated, you would need to match Dst zone as the ultimate zone in which the traffic would terminate (that is mostly the local zone – DMZ or LAN). However, you would (want to) match against the original destination IP (WAN IP on XG), here’s why:

    1. Usually one public IP would translate to different internal server IPs based on services. Admins can have one firewall access rule matching public IP; And NAT can take care of translating to different servers.
    2. Also, when admins add new servers in network, they need not to again modify firewall rule. With how this is implemented now – we can just edit NAT rule and we are good to go. This is true decoupled NAT/ Enterprise NAT power.
    3. Existing behavior makes it easier to configure in 1-to-Many DNAT scenario in which 1 public IP is translated against multiple local IPs. Match on the public IP adds flexibility.
    4. Industry implements DNAT in similar way. With v18, XG Firewall’s enterprise NAT capability is now at par with other competitive players.

     As we are moving to the new design, some confusion is bound to happen for existing users. We will soon support our veterans with detailed FAQs on community. Improvements in on-screen assistive text and online help is already in progress, along with the how-to-videos.

    Thank you very much for evaluating v18 early access. Appreciate your support.

  • Hi,

    Like it s an EAP, i hope that it will be better for the final release.

    It s very important that reseller and customer don t loose the Easy to Use and intuitive usage ! It was a main reason to choose the product for a lot of customers... Do more thing will be interesting if what we already do stay simple to use. Otherwise, we will probably lost customers.

    The current way (v18) is very confusing and not easy to understand. Do you have some screenshot of the new detailed design to share with us ?

     

    Regards,

    Matthieu

Reply Children
No Data